All Apps and Add-ons

How to get the Top 10 Source Ports in Splunk for Snort?

ggudgin
Explorer

I have events coming from Snort running on pfsense 2.4.2 being sent to Splunk. I see the reports with: -
Top 10 source IP Addresses
Top 10 Destination IP Addresses
Top 10 Destination Ports

but my Top 10 Source Ports is "no results found"

It looks like something must be changed in what is being sent or how it is parsed.

[119:7:1] http_inspect: IIS UNICODE CODEPOINT ENCODING [Classification: Unknown Traffic] [Priority: 3]:  {TCP} 192.168.1.40:54565 -> 144.76.166.55:80\x00

What I do notice is the source IP: Port has the extra "\x00" which I don't what that is but could be the issue?

Any ideas? Anyone else has a similar setup and it works?

Tags (3)
0 Karma
1 Solution

ggudgin
Explorer

Now I understand more how splunk works under the hood. I have figured out how to fix the field extraction in the SnortforSplunk supplied props.conf and leave the dashboard unmodified.
Copy the props.conf from /default to the /local directory and modify the EXTRACT-source_port line by changing the original or adding a new line and commenting out the old one. The only change is the 6 became a 7

#EXTRACT-source_port = ^(?:[^:\n]*:){6}(?P<source_port>\d+)
EXTRACT-source_port = ^(?:[^:\n]*:){7}(?P<source_port>\d+)

Something must have changed in the later snort Barnyard2 message, but now, with that tiny change, the original dashboard works correctly.

View solution in original post

0 Karma

ggudgin
Explorer

Now I understand more how splunk works under the hood. I have figured out how to fix the field extraction in the SnortforSplunk supplied props.conf and leave the dashboard unmodified.
Copy the props.conf from /default to the /local directory and modify the EXTRACT-source_port line by changing the original or adding a new line and commenting out the old one. The only change is the 6 became a 7

#EXTRACT-source_port = ^(?:[^:\n]*:){6}(?P<source_port>\d+)
EXTRACT-source_port = ^(?:[^:\n]*:){7}(?P<source_port>\d+)

Something must have changed in the later snort Barnyard2 message, but now, with that tiny change, the original dashboard works correctly.

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

@ggudgin If your problem is resolved, please accept an answer to help future readers.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

ggudgin
Explorer

src_ip is not the problem it is the visual for src_port. in the search app I can use:

 sourcetype=snort | top 10 src_port

Which results in the top 10 correctly listed and the % for each. Given the hint you provided and now realizing I can edit the dashboard source code (I'm still learning) I can see the problem. The dashboard is using source_ip, source_port, destination_ip and destination_port to build the report. When I check which fields are extracted I have src_ip, src_port, dest_ip, dest_port, source_ip, destination_ip and destination_port. There is no source_port. changing the dashboard code from source_port to src_port I get a pie chart. So now I just need to figure out why I have a src_port but not a source_port field. Either way, I have learnt some more about splunk and can at least fix the problem by modifying the dashboard.

0 Karma

Azeemering
Builder

Hi,

The underlying search for the Top 10 Search Ports is sourcetype="snort" | top 10 src_ip
When I create a test logfile with your logfile data and import it in my test splunk instance I get the report without any issue.

Can you check if you have a correct field extraction for src_ip for the snort sourcetype?
It needs to be like this:
(?\d+.\d+.\d+.\d+)(?::\d+)* -> \d+.\d+.\d+.\d+(?::\d+)\s$

0 Karma

ggudgin
Explorer

[Update] The issue with the \x00 and line break issues were caused by using TCP to forward events to Splunk. Although I could resolve it using props.conf I decided to revert to UDP and not jump through the hoops with props.conf. Doing so however has not fixed the Top 10 Source Port showing "no results found"
The event is being parsed correctly as seen below. Splunk identifies the src_port correctly in search mode.

[120:3:1] http_inspect: NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE [Classification: Unknown Traffic] [Priority: 3]: <vtnet0> {TCP} 23.32.46.72:80 -> 192.168.1.92:57902
dest_ip =192.168.1.92dest_port =57902 src_ip =23.32.46.72 src_port =80

I can only guess that there is an issue within the Snort for Splunk application looking at the wrong field to display on the dashboard.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.